NTLM Authentication Protocol

When a client attempts to open a title, and NTLM authentication is enabled, the server uses an encrypted challenge/response scheme to authenticate the user who is logged on to the current session on the client computer. Because NTLM uses authentication information established when the user logs on, it requires the client and server to be on the same or trusted domain. NTLM authentication is done without transferring the user’s credentials, which means the server does not have access to the user name or password. NTLM authentication protocol is better suited for intranet applications.

The challenge/response scheme of NTLM authentication involves the exchange of several pieces of data.

• The client first tries to open a title on a server, and receives an authentication error.
  
  
• When the client receives the authentication error, it responds by sending its domain and computer names to the server. The server passes this data to the authenticator.
• The authenticator passes back the NTLM challenge, and the server sends this data to the client.
• The client replies by sending the NTLM challenge/response to the server. The server passes this data to the authenticator for inspection.

The authenticator checks the data against entries stored in the NTLM user account database, and notifies the server of the result. The server grants or denies the client access to the content based on the result.